Article | 10 December 2025

Back to School – From Classroom to Boardroom, a Practical Guide to Digital Operational Resilience Training under DORA

Responsive image

Introduction

As part of the EU´s Digital Decade strategy, the EU adopted the Digital Operational Resilience Act (“DORA”) on the 17th of January 2025. DORA aims to strengthen cybersecurity within the financial sector and turned “digital resilience” from a boardroom buzzword, into everyday practice for financial entities within the EU.

The need for DORA is rooted in the rapid digitalization of our society and the growing number risks and threats connected to the use of Information and Communication Technology (“ICT”). DORA aims to combat these threats and risks with inter alia mandatory hands-on operational resilience training. As such, it is time for all staff, management, and, where appropriate, ICT third-party service providers of DORA-entities to go back to (cybersecurity-)school and learn a thing or two about operational resilience.

If you are a DORA entity struggling to understand what this all means, this article is for you.

No One-Size fits all

DORA Article 13(6) requires financial entities to embed digital operational resilience training as compulsory modules (no opt-outs) within staff training programmes across all levels of the organisation. The content should be tailored to the role and responsibilities of each audience. While certain core topics will be relevant to everyone with access to ICT systems, the depth and specificity of training must reflect the functions and risk exposure of different staff groups—because jobs differ and so should training.

In practice, personnel with elevated privileges—such as IT administrators and senior management with privileged system access—should receive more advanced instruction, for example on the fun (and sensitive) stuff: secure authentication mechanisms and privileged access management. By contrast, staff with limited data access should receive foundational training that covers password hygiene, multi-factor authentication, phishing awareness, and general security practices—the basics we all know and occasionally forget. The objective is to align training intensity with potential impact on the organisation’s ICT environment.

Training must also be proportionate and risk-based—no need for heroics for low-risk, no half-measures for high-risk. Entities facing higher inherent or residual risk are expected to design and deliver more sophisticated and frequent training, whereas entities with lower exposure may reasonably implement a lighter programme. Traceability is critical: document the rationale, design decisions, delivery, attendance, assessment results, and continuous improvement measures to demonstrate how the training architecture aligns with your entity’s risk profile and evolving threat landscape. If it isn’t documented, it didn’t happen.

There is no one-size-fits-all training blueprint—and that’s a feature, not a bug. Each entity should calibrate its curriculum to its organisational structure, technology stack, risk appetite, and regulatory obligations. The following steps is one way to operationalise this in practice, accompanied by practical considerations to support implementation and ongoing compliance. Your mileage may vary.

Step One – Who’s on the hook? Map your people before you train them

Once you’ve acknowledged your status as a DORA-regulated entity with a duty to implement training, start by charting the landscape of your staff and ICT third-party service providers across your organisation.

The goal is simple: identify exactly who must be in scope for training. In a compact organisation, this may be refreshingly straightforward. In a sprawling group with multiple business lines and a thicket of outsourcing arrangements, it can be more of a treasure hunt—so be systematic, thorough, and a little ruthless about who needs to be included.

Step Two – Map your people to your cyber risks

In step two, line up your mapped staff populations against the ICT risks you’ve actually identified—no guesswork, just evidence.

Start with the obvious cross‑cutting scenarios: credential theft, phishing, and business email compromise. If someone has an email account tied to internal systems, they’re a phishing target. If they’ve got remote access or privileged rights, they’re a higher‑risk target. And if they help run a critical or important function, they need scenario‑based training that tracks to continuity and recovery expectations—because when things wobble, they’ll be holding the steering wheel.

Keep it simple at first. Set a baseline curriculum for everyone that covers cyber hygiene fundamentals, secure data handling, and internal reporting and comms protocols. Then layer on role‑specific modules for the higher‑risk cohorts—privileged users, remote workers, and operators of critical processes. The result is training that’s right‑sized, risk‑aligned, and frankly more effective than death‑by‑slides.

Step Three – Train your ICT third‑party service provider, and perhaps rewrite the fine print

Where it makes sense, bring your ICT third‑party service provider into the school room—and make sure your contracts say that they will have to show-up and take notes.

In line with step two, map ICT risk to each ICT third‑party service provider by zeroing in on services that underpin critical or important functions, involve privileged access, or are delivered on‑premises. If the current agreements don’t oblige ICT third‑party service provider to receive the right training for the risks they introduce, then it’s time to sharpen your pencil and renegotiate. Better training, better resilience, fewer surprises.

Step Four – It doesn’t have to be boring

DORA doesn’t prescribe the format or delivery of training, which is both a blessing and a trap. You can stick to slide decks if you must, but relying solely on PowerPoint is a quick way to lose the room. A smarter approach and a better success (from what we have seen from our work with clients) is to treat the slides as the spine—not the whole body—and layer in activities that get people thinking, clicking, and actually doing.

Start with short, sharp decks to set the scene and reinforce the “why,” then blend in practical, real-world exercises that mirror your risk profile and operating model. Aim for sessions that feel like they matter on Monday morning, not just on compliance reporting day. For example, you might weave in the following to bring the material to life and build muscle memory across the business and the management body:

  • Phishing simulations delivered via email campaigns that escalate in sophistication over time, with tailored feedback for individuals and teams.
  • Hands‑on incident response exercises aligned to your established playbooks, so the incident response team practices roles, decision points, and communications under time pressure.
  • Structured walkthroughs of ICT response and recovery plans that surface dependencies, RTO/RPO assumptions, and who does what when the lights flicker.
  • Mandatory knowledge checks for management bodies focusing squarely on governance duties, escalation thresholds, and accountability under DORA.

The result is a programme that doesn’t just tick the regulatory box—it strengthens operational resilience, sharpens decision‑making, and nudges behaviours in the right direction. If attendees leave with a few hard lessons, a couple of good questions, and a clear sense of ownership, you’ve done it right.

Step Five – Close the loop

Now it is time to close the loop. Document your training programme comprehensively and define clear indicators to measure its effectiveness. Integrate lessons learned from actual incidents and insights from testing into the curriculum to ensure continuous improvement. By regularly updating and evolving the training, you will remain aligned with the latest cybersecurity practices.

DORA compliance is not a one‑off exercise: training must be delivered on a recurring basis to keep knowledge current and capabilities sharp at all times.

Ending Comment

An effective training programme is proportionate, risk‑based, role‑specific, and continuously refined in response to incidents, testing outcomes, and technological change.

By mapping people to the risks they face, developing engaging, relevant content, and incorporating ICT third‑party service provider where appropriate, you lay the groundwork for a robust, bespoke training framework. Done well, this approach drives meaningful behavioural change where it matters most.

Contact:

Emily Svedberg-Possfelt, Hugo Nerud

Practice areas:

FinTech

  • This field is for validation purposes and should be left unchanged.

Do you want to get in touch with us?

Please fill out the form and we will contact you as soon as possible.

Related news

Balancing Security and Privacy: A Guide to Background Checks for Swedish FinTechs

Article | 10 December 2025

Balancing Security and Privacy: A Guide to Background Checks for Swedish FinTechs

Read more
Demands for Accessibility in the Provision of Financial Services and Processing of Sensitive Personal Data: The Balance of Regulatory Compliance

Article | 10 December 2025

Demands for Accessibility in the Provision of Financial Services and Processing of Sensitive Personal Data: Th...

Read more
One year of simplification – What is the impact on European FinTech?

Article | 10 December 2025

One year of simplification – What is the impact on European FinTech?

Read more
Load more